Our insider said most new 2020 model cars feature “info-tainment” systems with open internet connections that link with a car’s computer technology; it contains all a hacker needs to crash a car you’re driving
By Randy Mac, KNBC TV-4 Los Angeles, CA
July 31, 2019
The LA-based Consumer Watchdog group, with the help of software technologists, have released an alarming report about cyber security risks to new cars Wednesday.
According to the report, cars with internet connections are vulnerable to a hack while you’re behind the wheel, which means you could lose control of the car while driving.
An industry insider who helped author the report revealed in an exclusive interview with NBCLA’s I-Team that the report was published to warn consumers that they may not be safe behind the wheel of newer internet-connected cars.
The insider, who will remain anonymous, said he joined 20 other colleagues to produce the report.
“By the end of the year, it’s going to be very, very difficult to buy a new car in this country that does not have built in always-on-internet connectivity,” the automotive software engineer said.
Our insider said most new 2020 model cars feature “info-tainment” systems with open internet connections that link with a car’s computer technology; it contains all a hacker needs to crash a car you’re driving.
“This is happening. This is not science fiction. This is happening today,” the insider said.
“Connected cars are now the most serious national security threat we have,” said Jamie Court of the Consumer Watchdog group.
The consumer watchdog group along with automotive technologists have authored the report “Kill Switch,” which demands the automotive industry provide consumers with a mechanism or switch to disconnect their cars’ critical safety systems — like steering, brakes, and engine — from continuous internet connectivity, which they say can put control of your car at a hacker’s fingertips.
“If I’m someone who wants to do harm to do harm to America, I forget about the electric grid, I forget about the elections system — I go to your car,” Court said.
Cyber security researchers in China produced videos where they’ve controlled a Tesla through its internet-connected computer. Everything from opening its sunroof and moving seats.
You can find similar videos online for jeep and other models being remotely controlled by a hacker — even steering.
“What we are talking about is a trend that is covering the entire auto industry and it’s a very unsafe one,” the insider said.
According to the report, the top 10 car brands nationally all sell internet-connected cars.
The three top-selling car makers in the U.S. — GM, Toyota and Ford — will only sell internet-connected cars by the end of this year.
“Security in the software is no better in the cars than it is in the cellphones,” the insider said.
He says a kill switch would only cost about 50 cents per vehicle, allowing drivers to disconnect safety systems from internet connectivity.
He said he believes the reason automakers haven’t addressed the issue is because it’s cheaper to fix cars through remote software downloads instead of recalls. He also postulates: What happens if hackers with malicious intent take control of entire fleets of cars simultaneously?
“That is absolutely a strategic target to any number of state actors, terrorist groups,” he said.
Court said it’s something that has to be addressed.
“It’s just a question of when, and if people are going to die for it to happen, we’re hoping this report will save lives,” Court said.
NBCLA’s I-Team reached out to a number of automakers for reaction to the “Kill Switch” report.
Toyota, GM and Ford deferred to the following statement released by the Alliance of Automobile Manufacturers, which represents the industry.
Statement from Auto Alliance:
It is not unusual to see groups seeking attention right before the August cybersecurity meetings in Vegas. Here is our reaction…. today, cybersecurity is a priority to every industry using computer systems, including automobiles. Automakers know their customers care about security, and automakers are taking many protective actions, including designing vehicles from the start with security features and adding cybersecurity measures to new and redesigned models.
Automakers are partnering with public and private research groups to share new solutions and participating in multiple cyber forums on emerging issues. In 2015, automakers launched an Information Sharing and Analysis Center (Auto-ISAC) that now includes 51 global automakers and suppliers, and the ISAC has developed a series of Best Practices on cybersecurity.
Experts at the world’s largest automotive standards bodies – the International Organization for Standardization (ISO) and SAE International – have joined forces to develop a unified international standard for automotive cybersecurity.
Automakers also continue to confer with policymakers on cybersecurity matters. We have more info here: http://www.AutomotiveCybersecurity.com.
Cybersecurity is everyone’s responsibility, and consumers – along with automakers and their suppliers — need to be vigilant. Consumers should exercise good cyber hygiene in all they do, including properly pairing a phone to a car, deleting phone data from rental cars (if paired), and being active in doing the maintenance and updates as requested for phones and vehicles.
Also, the Society of Automotive Engineers is a good source for more info. SAE has about 15,000 automotive engineers worldwide with groups working on cybersecurity. For example, SAE has been working for some time to update various OBD standards and best practices to harden vehicles against potentially compromised external devices or connections to the OBD II connector.
Honda also responded with the following statement.
Statement from American Honda Motor Co., Inc. Regarding Vehicle Cybersecurity:
The cybersecurity landscape for all industries, including the auto industry, continues to evolve and present challenges to companies that are committed to protecting their customers’ safety and privacy. As vehicles have become more dependent upon electronic control systems, as well as cloud-integrated, advanced communications systems, Honda has been working collaboratively with suppliers to ensure the integrity of these systems. The private and public sectors must also work together to ensure the security, by design, of products in the marketplace.
Overall, industry and individual company approaches to cybersecurity should remain flexible and nimble to enable responsiveness to cyber threats as they arise. For example, Honda is a founding member of the Automotive Information Sharing and Analysis Center (Auto-ISAC), which enables automakers to share and analyze information about cyber threats and develop mitigation strategies in a secure environment. Cultivating similar, collaborative partnerships among industry and with the government is imperative as companies confront potential cyber threats.
The Auto-ISAC, including contributions by Honda representatives, has established comprehensive Automotive Cybersecurity Best Practices (http://www.automotiveisac.com/best-practices) developed as a proactive measure to further enhance vehicle cybersecurity throughout the industry. The Best Practices provide deep technical and organizational breadth to support, develop, and improve defenses against potential cybersecurity threats of the motor vehicle ecosystem. They are grounded in ISO, NIST and other established cybersecurity frameworks but are tailored to the motor vehicle. Auto-ISAC members have committed to continuously enhancing the Best Practices over time to keep pace with the constantly evolving cyber landscape. Moving forward, Honda will look to these and other best practices as we strive to ensure a safe and secure vehicle environment for our customers.
Statement from Volvo:
Volvos internet enabled infotainment functions are separated from critical safety systems. Our critical systems, including brakes and steering, have mechanical overrides for the driver, so the driver will always have control over those systems. The input from the driver overrides everything.
See full “Kill Switch” report here: https://www.consumerwatchdog.org/sites/default/files/2019-07/KILL%20SWITCH%20%207-29-19.pdf